Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CORMS - Insecure direct object references (IDOR)
[description]
In Correspondence Management System (corms) in Newgen eGov 12.0, an
attacker can modify other users' profile information by manipulating
the unvalidated UserIndex parameter, aka Insecure Direct Object
Reference.
------------------------------------------
[VulnerabilityType Other]
Insecure direct object references (IDOR)
------------------------------------------
[Vendor of Product]
newgen software
------------------------------------------
[Affected Product Code Base]
Correspondence Management System (corms) - eGov 12.0
------------------------------------------
[Affected Component]
Profile Page of users. user can access and modify other personal setting page
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
user can manipulate parameter in personal setting page. this parameter can allow un-authorize access to change other user's personal information
------------------------------------------
[Reference]
https://newgensoft.com/solutions/industries/government/e-gov-office/
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
ALI AL SINAN
------------------------------------------
[CVE]
CVE-2020-35737.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment